[CentOS] CentOS VPN server for iPhone

[Florin Andrei]

So far, OpenVPN has been working very well for me. Unfortunately, the 
iPhone doesn't have (yet?) an OpenVPN client, so I'm forced to work with 
what's available.

The options are: L2TP, PPTP and IPSec. If you were to install a VPN 
endpoint on CentOS, which protocol would you prefer? The condition is to 
avoid shabby VPN servers that make the system less secure. I've seen 
some PPTP servers for Linux in the past but I was not impressed with 
their security track record. I'm not necessarily talking about crypto, 
I'm talking about the way the application is written.

Another condition is ease of installation. I will compile from source if 
I have no other choice, but I'd rather avoid wasting time with that, as 
I'm quite busy with non-tech things nowadays. If the application is in a 
repo somewhere, that would be perfect.

Thanks!

-- 
Florin Andrei

http://florin.myip.org/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Hywel Richards]

Florin Andrei wrote:
> The options are: L2TP, PPTP and IPSec. If you were to install a VPN 
> endpoint on CentOS, which protocol would you prefer?  
>   

I know this doesn't answer your question as put, but it may be worth 
taking a different tack and supplying whatever services wrapped with 
SSL/TLS instead - I guess it depends exactly what you want the VPN for.

Hywel.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] live audio feed via telephone link

[Ralph Angenendt]

Frank Cox wrote:
> > I don't think you will be able to compress a
> > radio signal enough to fit over a dial line without a lot of loss. You would
> > need several lines multiplexed together for a decent sounding broadcast.
> 
> Well, that's what I'm looking into.  I remember listening to streaming audio
> over a 14.4 modem way-back-when which wasn't great quality but modems have
> gotten a lot faster than that since, too.  I don't know enough about it (yet)
> to be aware of exactly what can be accomplished.

They haven't gotten that much faster, really. If you want a modem for a
leased line, the (well, probably) only choice is this one:



Mind, the 56K in V92 only are for *one* direction, the upstream is
slower (33.6K) - and I have no idea if it is enough to have another one
of those on the other side of the line to do v92.

For a stable leased line with modems you are normally doing V34 at
33.6Kbps and that is only a bit more than double of what you have with
14.4Kbps.

Reading your first mail I thought "Hey, get a leased line and run SDSL
over that", but your two stations really seem to be too far away from
each other to do that.

Can you get ISDN where you are? 

Ralph


pgpb5sbjD2km6.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Ralph Angenendt]

Florin Andrei wrote:
> So far, OpenVPN has been working very well for me. Unfortunately, the 
> iPhone doesn't have (yet?) an OpenVPN client, so I'm forced to work with 
> what's available.
> 
> The options are: L2TP, PPTP and IPSec. If you were to install a VPN 
> endpoint on CentOS, which protocol would you prefer? 

IPSEC.

That's only a few entries in a file in /etc/sysconfig/network-scripts
away from a working solution >:)



Cheers,

Ralph


pgp21WNTmOSVD.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Broken link in the documentation.

[Ralph Angenendt]

Marcelo M. Garcia wrote:
> There is a broken link in the documentation of CentOS 5.2. I was reading 
> about e-mail and when you follow the link from POP (24.1.2.1 in 
> Deployment guide) to IMAP, you got the following message:
> "Not Found
> 
> The requested URL 
> /docs/5/html/5.2/Deployment_Guide/s3-email-protocols-imap.html was not 
> found on this server."

Website? Please file a bug (or wait for 5.3 - real soon! now) at
bugs.centos.org in the website category.

Thanks!

Ralph


pgpQCsiTqHelX.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] live audio feed via telephone link

[James Bensley]

I would of thought that ISDN would be the perfect solution and if not settle
for a standrad POTS line and use one of the folloing;

http://www.tieline.com/

http://www.glensound.co.uk/GS-MPI004%20Broadcasters%20Mobile%20Phone.htm

http://www.pots.audiotx.com/

http://www.sonifex.co.uk/codecs/index.shtml
-BEGIN GEEK CODE BLOCK-
 Version: 3.1
GIT/MU/U dpu s: a--> C++>$ U+> L++> B-> P+> E?> W+++>$ N K W++ O M++>$ V-
PS+++ PE++ Y+ PGP t 5 X+ R- tv+ b+> DI D+++ G+ e(+) h--(++) r++ z++
--END GEEK CODE BLOCK--
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to access encrypted EXT3 partition from Windows

[John R. Dennison]

On Thu, Mar 26, 2009 at 11:19:30AM +, Ionut Vancea wrote:
> 
> you can also check: http://en.wikipedia.org/wiki/FreeOTFE

Very interesting.  Thank you for the reference.




John

-- 
"I'm sorry but our engineers do not have phones."
As stated by a Network Solutions Customer Service representative when asked to
be put through to an engineer.

"My other computer is your windows box."
 Ralf Hildebrandt
 trying to play sturgeon while it's under attack is apparently not fun.


pgpHrZ3edw4VO.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to access encrypted EXT3 partition from Windows

[Ionut Vancea]

Hi,

On Wed, Mar 25, 2009 at 8:04 AM, Rudi Ahlers  wrote:
>
> Thanx John, I'll check it out

you can also check: http://en.wikipedia.org/wiki/FreeOTFE

Cheers,
Ionut

===
Ioan Vancea
http://www.vioan.ro
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Security advice, please

[Anne Wilson]

On Monday 23 March 2009 18:59:51 Steve Huff wrote:
> On Mar 23, 2009, at 2:37 PM, Anne Wilson wrote:
> > OK - I'm thick.  I've looked at that page and seen only what I'm
> > already
> > familiar with.  Please, in plain English, how do I set ssh to come
> > in on port
> > 22022 (service called ext-ssh already set up for that) to be
> > forwarded to
> > 192.168.0.xx port 22?
>
> Anne,
>
> if the router really isn't making it easy for you to forward from port
> 22022 to port 22, you could also solve this problem by having sshd
> listen on port 22022 on the server.  do this by editing /etc/ssh/
> sshd_config such that the following two lines *both* appear before any
> ListenAddress specification:
>
> Port 22
> Port 22022
>
> if you're running a software firewall on the host, make sure you poke
> a hole so that traffic can pass from the router to port 22022 on the
> server.  then configure the router to forward from external port 22022
> to internal port 22022, and you're done.
>
> -steve
>
Hopefully this is correctly set up now, but I can't test it until I go to 
somewhere with an open wifi.  Thanks. It may be a couple of weeks before I can 
report back, but I'l let you know how I fared.

Anne



signature.asc
Description: This is a digitally signed message part.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] live audio feed via telephone link

[Phil Schaffner]

Frank Cox wrote:
> I'm looking into costs and feasibility of moving a live feed from a FM radio
> station from the station to a point that's past the usable range of their 
> radio
> signal. It's a rural location and Internet service is not available at the
> station.  If the destination was closer or their transmitter was more 
> powerful,
> I could avoid this step and just plug in a radio, but

Might want to consider the one-time cost of a nice directional antenna 
pointed at your radio station on a tower (possibly an already-existing 
one - cell phone or other radio/communications) at a location with 
internet access, versus the yearly cost of other alternatives suggested. 
  If there are no mountains in the way 52.3km is not a long way for a 
radio signal to travel.  The engineer who maintains the station should 
be able to help, or find a local ham radio operator who is knowledgeable 
about antennas and propagation to do the link calculations and determine 
antenna gain requirements for you before investing in such an approach.

Phil
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Installing on partitionable RAID arrays

[RedShift]

Hello


Since linux 2.6, the md layer has a feature called partitionable arrays. So 
instead of having two disks, creating an identical partition table on both and 
then putting those partitions in RAID 1, you take those two disks and put them 
in one partitionable RAID 1 array (in mdadm terms, "mdp") and create a 
partition table on the new RAID device. The advantages are quite clear compared 
to the old non-partitionable arrays.

My question is, is this supported by CentOS? The GTK installer doesn't provide 
a way to create such an mdp device and the integrated partitioning tool does 
not see for example md_d0 when I create it manually from the console.

Another way to get CentOS on such a configuration would be to do everything 
manually, thus installing the base system by creating the necessary disk 
allocations and then rpm -i all the required packages to get it to boot. (I've 
done this before, it's not a big deal, you just need to follow a certain order 
- I remember documenting it somewhere but forgot). But since this method is 
probably not officially documented anywhere or even supported I'll most likely 
won't get any support if this setup were to fail somehow (like when upgrading 
between minor versions).

I've tried STFW'ing, but searching for centos and partitionable arrays is too 
ambiguous.


Thanks,


Best regards,


Glenn Matthys 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[RedShift]

RedShift wrote:

Hello


Since linux 2.6, the md layer has a feature called partitionable arrays. So instead of 
having two disks, creating an identical partition table on both and then putting those 
partitions in RAID 1, you take those two disks and put them in one partitionable RAID 1 
array (in mdadm terms, "mdp") and create a partition table on the new RAID 
device. The advantages are quite clear compared to the old non-partitionable arrays.

My question is, is this supported by CentOS? The GTK installer doesn't provide 
a way to create such an mdp device and the integrated partitioning tool does 
not see for example md_d0 when I create it manually from the console.

Another way to get CentOS on such a configuration would be to do everything 
manually, thus installing the base system by creating the necessary disk 
allocations and then rpm -i all the required packages to get it to boot. (I've 
done this before, it's not a big deal, you just need to follow a certain order 
- I remember documenting it somewhere but forgot). But since this method is 
probably not officially documented anywhere or even supported I'll most likely 
won't get any support if this setup were to fail somehow (like when upgrading 
between minor versions).

I've tried STFW'ing, but searching for centos and partitionable arrays is too 
ambiguous.


Thanks,


Best regards,


Glenn Matthys 



As a follow-up, I found the documentation I wrote how to install CentOS without 
any installer:


# First, setup your disks to your liking. You can use whatever you want here,
# RAID, LVM, etc... Remember your disk configuration because you'll need it
# to configure grub, menu.lst and fstab. Using RAID, LVM, or others will require
# more configuration than this guide covers. To keep it simple I'm using a
# single disk. An example:

$ fdisk /dev/sda
$ mount /dev/sda3 /target
$ mkdir /target/boot
$ mount /dev/sda1 /target/boot

# Depending on the host OS you're using, you may need to initialize the rpm db
# on the host OS
$ rpm --initdb

# Use the following command to install the packages. I'll be addressing this
# command as $rpm.

$ rpm --root /target -i 


# Use your shell's tab completion to complete the package filenames. I
# deliberatly left out the versions so these instructions apply to a wide range
# of versions

# Let's install some basics
$rpm setup basesystem filesystem

# Install bash first, this is needed for post-install scripts
$rpm bash glibc glibc-common termcap libgcc tzdata mktemp libtermcap

# Install some dependencies (this is mainly to keep the next command smaller)
$rpm grep pcre libstdc++ info ncurses zlib gawk sed ethtool

# Install the bulk of the system
$rpm coreutils libselinux libacl libattr pam audit-libs cracklib-dicts \
cracklib libsepol mcstrans libcap chkconfig python db4 openssl readline \
bzip2-libs gdbm findutils krb5-libs initscripts util-linux popt udev MAKEDEV \
centos-release shadow-utils keyutils-libs iproute sysfsutils SysVinit \
net-tools module-init-tools e2fsprogs e2fsprogs-libs glib2 mingetty \
device-mapper sysklogd psmisc centos-release-notes procps libsysfs iputils 


# Install package manager
$rpm rpm beecrypt elfutils-libelf rpm-libs sqlite

# Install YUM
$rpm yum python-elementtree rpm-python yum-metadata-parser python-sqlite \
expat libxml2 python-urlgrabber m2crypto python-iniparse


# You may also want to install your favorite editor
$rpm nano

# This provides /root with some defaults, like color highlighting on `ls`
$rpm rootfiles

# Right now you have system which you can chroot to, so we can start setting up
# the basics

# Mount directories for chroot operation
$ mount --bind /dev /target/dev
$ mount -t proc none /target/proc
$ mount -t sysfs none /target/sysfs
$ chroot /target

# This constructs /etc/shadow
$ pwconv

# Configure fstab
$ nano -w /etc/fstab

# Installing the kernel. Do this back outside the chroot in the host OS system
$ exit
$rpm kernel mkinitrd cpio device-mapper-multipath dmraid gzip kpartx lvm2 nash \
tar less device-mapper-event

# Install the bootloader, grub.
$rpm grub diffutils redhat-logos

# Let's chroot again to configure our bootloader
$ chroot /target

# We start by configuring the bootloader. Open /boot/grub/menu.lst, and put the
# following there

<<



# If this command gives an error, you can safely ignore this because it's not
# of importance. What is important is that grub-install copied the right files
# to /boot/grub that we need for booting.
$ /sbin/grub-install /dev/sda

# Manually install grub if the previous step failed. - means type it in the grub
# shell
$ grub
$- root (hd0,0)
$- setup (hd0)

# Optional packages
# You may want to install passwd so you can set passwords ;-)
$rpm passwd libuser openldap cyrus-sasl-lib

# These are used to set the keyboard language (loadkeys)
$rpm kbd usermode


# ** Right now you should have a bootable system! Here are some tips to help you
# through your 1st boot ***

# Most of the system configuration happens

Re: [CentOS] [OT] Network switches

[J Potter]

> look at HP Procurves. That is what I use.
> You can get 2524's quite cheap on ebay.

We used these for years, and they were great, and super cheap on EBay.  
HP support was fantastic as well. The 26xx series allows for "light"  
layer 3 routing; you may want to snag the 2626 or 2650 instead of the  
25xx series. I believe that HP has end-of-lifed these switches,  
though, so firmware updates for security bugs, etc, will, from what I  
understand, cease in a few years.

We upgraded to some Dell PowerConnect 6248s in the past year, so that  
we could use VRRP for (routing-enabled) switch failover. As with all  
Dell things, hammer them on the price and you can get it ~30% cheaper  
than listed.

-Jeff

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Les Mikesell]

RedShift wrote:
>
>  
> As a follow-up, I found the documentation I wrote how to install CentOS 
> without any installer:


That looks useful.  Do you have any hints about how to get the right 
drivers installed if you wanted to build a disk to be moved to a 
different machine?

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Phil Schaffner]

RedShift wrote:
> RedShift wrote:
>> Hello
>>
>>
>> Since linux 2.6, the md layer has a feature called partitionable 
>> arrays. So instead of having two disks, creating an identical 
>> partition table on both and then putting those partitions in RAID 1, 
>> you take those two disks and put them in one partitionable RAID 1 
>> array (in mdadm terms, "mdp") and create a partition table on the new 
>> RAID device. The advantages are quite clear compared to the old 
>> non-partitionable arrays.
>>
>> My question is, is this supported by CentOS? The GTK installer doesn't 
>> provide a way to create such an mdp device and the integrated 
>> partitioning tool does not see for example md_d0 when I create it 
>> manually from the console.

I expect we may have to wait on upstream to have installer support. 
Anybody with RHEL want to put in an official request?

>> Another way to get CentOS on such a configuration would be to do 
>> everything manually, thus installing the base system by creating the 
>> necessary disk allocations and then rpm -i all the required packages 
>> to get it to boot. (I've done this before, it's not a big deal, you 
>> just need to follow a certain order - I remember documenting it 
>> somewhere but forgot). But since this method is probably not 
>> officially documented anywhere or even supported I'll most likely 
>> won't get any support if this setup were to fail somehow (like when 
>> upgrading between minor versions).
>>
>> I've tried STFW'ing, but searching for centos and partitionable arrays 
>> is too ambiguous.

I tried googling too, and came up with lots of docs on "partitionable 
arrays", but nothing on installing.  Can't say for sure without testing, 
but I suspect GRUB would choke on this.  Would probably still need at 
least a /boot on a separate partition, or a standard RAID1.

>> Thanks,
>>
>>
>> Best regards,
>>
>>
>> Glenn Matthys 
> 
> 
> As a follow-up, I found the documentation I wrote how to install CentOS 
> without any installer:
> 
> 
> # First, setup your disks to your liking. You can use whatever you want 
> here,
... snip ...
> (PS: I've also attached the documentation as install_centos.txt, but 
> mailman will probably strip it)

Attachment came through fine for me.  Very interesting - might make a 
nice Wiki article, and could be included on a LiveCD as a way of 
bootstrapping a CentOS install.

Phil
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Ross Walker]

On Mar 26, 2009, at 8:55 AM, Les Mikesell  wrote:

> RedShift wrote:
>>
>>
>> As a follow-up, I found the documentation I wrote how to install  
>> CentOS
>> without any installer:
>
>
> That looks useful.  Do you have any hints about how to get the right
> drivers installed if you wanted to build a disk to be moved to a
> different machine?

That's even easier.

Add the disk driver names in modprobe.conf the ones for system disks  
in the top half, data disks below. Then run a mkinitrd.

Modprobe.conf excerpt:

alias scsi_adapter ata_piix
alias scsi_adapter0 ahci
alias scsi_adapter1 mega_sas
alias scsi_adapter2 mpt

# mv /boot/init-$(uname -r).img /boot/init-$(uname -r).img
# mkinitrd /boot/init-$(uname -r).img $(uname -r)

That should make an initrd with the drivers necessary to boot your  
other boxes (of course using your own disk drivers and not mine).

-Ross
  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[RedShift]

Phil Schaffner wrote:
> RedShift wrote:
>>> Another way to get CentOS on such a configuration would be to do 
>>> everything manually, thus installing the base system by creating the 
>>> necessary disk allocations and then rpm -i all the required packages 
>>> to get it to boot. (I've done this before, it's not a big deal, you 
>>> just need to follow a certain order - I remember documenting it 
>>> somewhere but forgot). But since this method is probably not 
>>> officially documented anywhere or even supported I'll most likely 
>>> won't get any support if this setup were to fail somehow (like when 
>>> upgrading between minor versions).
>>>
>>> I've tried STFW'ing, but searching for centos and partitionable arrays 
>>> is too ambiguous.
> 
> I tried googling too, and came up with lots of docs on "partitionable 
> arrays", but nothing on installing.  Can't say for sure without testing, 
> but I suspect GRUB would choke on this.  Would probably still need at 
> least a /boot on a separate partition, or a standard RAID1.
> 

GRUB works at least with a RAID 1 setup. (I run it in production on another 
distro). On a partitionable RAID 1, the data can still be read independently 
from the disks (that allows GRUB to work). If you have two disks you would 
install your GRUB MBR twice, once on both disks using the GRUB shell. I haven't 
tried other RAID forms but I see no reason why the built-in RAID 10 would not 
work as well.

>>> Thanks,
>>>
>>>
>>> Best regards,
>>>
>>>
>>> Glenn Matthys 
>>
>> As a follow-up, I found the documentation I wrote how to install CentOS 
>> without any installer:
>>
>>
>> # First, setup your disks to your liking. You can use whatever you want 
>> here,
> ... snip ...
>> (PS: I've also attached the documentation as install_centos.txt, but 
>> mailman will probably strip it)
> 
> Attachment came through fine for me.  Very interesting - might make a 
> nice Wiki article, and could be included on a LiveCD as a way of 
> bootstrapping a CentOS install.
> 

I'll have a go at that.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Raja Subramanian]

On Thu, Mar 26, 2009 at 5:42 PM, RedShift  wrote:
> Since linux 2.6, the md layer has a feature called partitionable arrays. So 
> instead of having two disks, creating an identical partition table on both 
> and then putting those partitions in RAID 1, you take those two disks and put 
> them in one partitionable RAID 1 array (in mdadm terms, "mdp") and create a 
> partition table on the new RAID device. The advantages are quite clear 
> compared to the old non-partitionable arrays.

For the uninitiated, would you be kind enough to elaborate the
advantages of mdp?

I have always created identical partitions on the raw disks first,
and the used mdadm on top.  I also create my partitions ~200MB
smaller than raw disk capacity to ensure minor size differences
between disks (eg. 160GB HDD from Seagate is not exactly same
size as a 160GB disk from Samsung) will not prevent me from
adding them to a raid set.

Does mdp handle this scenario?

- Raja
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Les Mikesell]

Ross Walker wrote:

>> RedShift wrote:
>>>
>>> As a follow-up, I found the documentation I wrote how to install  
>>> CentOS
>>> without any installer:
>>
>> That looks useful.  Do you have any hints about how to get the right
>> drivers installed if you wanted to build a disk to be moved to a
>> different machine?
> 
> That's even easier.
> 
> Add the disk driver names in modprobe.conf the ones for system disks  
> in the top half, data disks below. Then run a mkinitrd.
> 
> Modprobe.conf excerpt:
> 
> alias scsi_adapter ata_piix
> alias scsi_adapter0 ahci
> alias scsi_adapter1 mega_sas
> alias scsi_adapter2 mpt
> 
> # mv /boot/init-$(uname -r).img /boot/init-$(uname -r).img
> # mkinitrd /boot/init-$(uname -r).img $(uname -r)
> 
> That should make an initrd with the drivers necessary to boot your  
> other boxes (of course using your own disk drivers and not mine).

Thanks - but there is another half to that question. How do you find the 
names of the drivers that match any particular hardware without running 
the installer?

I'd like to have a generic backup/restore mechanism that would drop in a 
   tar image (etc.) from one machine and come up running on something 
different - or a fixup procedure for disks that have been moved from one 
chassis to another.  Even where the machines are identical and I put the 
target machine's MAC addresses in the ifcfg-ethX file, something seems 
to rename them and screw things up when a disk is moved.

-- 
   Les Mikesell
lesmikes...@gmail.com



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[RedShift]

Raja Subramanian wrote:
> On Thu, Mar 26, 2009 at 5:42 PM, RedShift  wrote:
>> Since linux 2.6, the md layer has a feature called partitionable arrays. So 
>> instead of having two disks, creating an identical partition table on both 
>> and then putting those partitions in RAID 1, you take those two disks and 
>> put them in one partitionable RAID 1 array (in mdadm terms, "mdp") and 
>> create a partition table on the new RAID device. The advantages are quite 
>> clear compared to the old non-partitionable arrays.
> 
> For the uninitiated, would you be kind enough to elaborate the
> advantages of mdp?
> 
> I have always created identical partitions on the raw disks first,
> and the used mdadm on top.  I also create my partitions ~200MB
> smaller than raw disk capacity to ensure minor size differences
> between disks (eg. 160GB HDD from Seagate is not exactly same
> size as a 160GB disk from Samsung) will not prevent me from
> adding them to a raid set.
> 
> Does mdp handle this scenario?
> 

When you run a partitionable array you don't have to care about the partition 
table on the independent disks. So when a disk fails, you don't have to 
recreate the exact same partition table, you just swap the device using the 
mdadm tool.

Another advantage is that you don't have to do the disk swap for every 
partition. For example, in the old scenario, you have two disks (sda and sdb) 
with 4 partitions on them each. On those 4 partitions you create your RAID 
arrays, like md0=sda1,sdb1; md1=sda2,sdb2; and so forth. When sda fails, you 
have to remove the failed disk from all of the 4 RAID arrays and when you've 
put in the new disk, you have to signal all 4 arrays that the new disk is to be 
used. Not only do you have to execute 4 times as much commands, reconstruction 
of the 4 arrays will take place in parallel leading to slow disk access during 
reconstruction. When reconstructing a partitionable array using whole disks, 
reconstruction will always be sequential.

In the disks not being equal scenario: you can limit the size of the RAID array 
during creation with the -z parameter (man mdadm, chapter "For create, build, 
or grow:"). So instead of limiting the size of the partitions you create, you 
limit the whole size of the RAID array. So having a smaller replacement disk is 
no problem as long as it's equal or bigger than the array size you defined 
during creation.


Best regards,


Glenn Matthys
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Mogens Kjaer]

RedShift wrote:
...
>  Not only do you
> have to execute 4 times as much commands, reconstruction of the 4
> arrays will take place in parallel leading to slow disk access during
> reconstruction. 

Is this right?

When I have replaced a disk and added several partitions
to an array, the rebuild is done one partition at a time.

The /proc/mdstat would say "delayed" on the partitiones
waiting.

Mogens
-- 
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Mobile: +45 22 12 53 25
Email: m...@crc.dk Homepage: http://www.crc.dk
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Acrobat Reader 9 on Centos 4.7

[tblader]

Hello,
Anyone know how to get Acrobat 9 running* on Centos 4.7?
Looks like a libc conflict:

   /Adobe/Reader9/Reader/intellinux/bin/acroread: error while loading shared \
   libraries: /apps/Adobe/Reader9_libs/libstdc++.so.6: requires glibc 2.5 or 
later dynamic linker

Thanks
Thomas

[*] - http://www.us-cert.gov/cas/techalerts/TA09-051A.html
-- 

Flambeau Inc. Technology Center - Baraboo, WI
Email: tbla...@flambeau.com
Keyserver: http://pgp.mit.edu KeyID: 0x00E9EC2C
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Monitoring IP masquerading on LVS load-balancing

[David Dyer-Bennet]

On Wed, March 25, 2009 17:40, Barry Brimer wrote:

> ipvsadm -L -c -n should do the trick.

Just following up, now that I'm back at work and have tried it.  Yep,
excellent.  Using that with "watch" gives me a nice display.

(I'm load-balancing a rather small load of rather compute-heavy web
services across a small cluster, so a connection persists for long enough
to be noticed on the screen often, and there are few enough of them to
keep track of.  This lets me observe directly (and hence resolve other
people's doubts) that the load really is being spread across the cluster
for example.  Monitoring directly on each server is harder, plus they're
running Windows now so they're harder to monitor remotely.)

Thanks again!
-- 
David Dyer-Bennet, d...@dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] manage different profile with a laptop

[MOKRANI Rachid]

Hi,
 
I need to use different profile with some linux CentOS  laptops.
 
- I need to connect the laptops at work  with NIS, automount, DHCP  
 
- The same laptops can be use at home without NIS etc..but with personal
wifi connection 
 
- The same laptops can be use in travel without network configuration
 
Which best software to use to manage different profile ?
 
Regards.
__

Ce message (et toutes ses pièces jointes éventuelles) est confidentiel et 
établi à l'intention exclusive de ses destinataires. Toute utilisation de ce 
message non conforme à sa destination, toute diffusion ou toute publication, 
totale ou partielle, est interdite, sauf autorisation expresse. L'IFP décline 
toute responsabilité au titre de ce message.

This message and any attachments (the message) are confidential and intended 
solely for the addressees. Any unauthorised use or dissemination is prohibited. 
IFP should not be liable for this message.

Visitez notre site Web / Visit our web site : http://www.ifp.fr
__
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[Frank Thommen]

Hi,

to install current PC models (with new Intel NICs) via Kickstart/PXE, I 
wanted to add the newest e1000e-Treiber to initrd.img.  With this 
modified image, the Kickstart kernel crashes with the following error 
messages:


[...]
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
RAMDISK: Compressed image found at block 0
RAMDISK: incomplete write (20480 != 32768) 6062080
VFS: Cannot open root device "" or unknown-block(253,3)
Please append a correct "root=" boot option
Kernel panic - not syncing: VFS: Unable to mount root fs on 
unknown-block(253,3)


To modify the initrd.img, I took the original CentOS 5.2 image, unpacked 
with cpio/gunzip and replaced modules/2.6.18-92.el5/x86_64/e1000e.ko 
with a current version.  This driver module had been created on a 
freshly installed CentOS 5.2 host with kernel 2.6.18-92.el5 and w/o any 
updates.  After adding the driver, I re-archived and re-packed the image 
and replaced the initrd.img on my tftp server.


The new image is considerably bigger than the old one (12 MB vs. 5.7 MB) 
which puzzles me, as the driver file itself is 2.8 MB (compared to the 
old e1000e.ko with ca 170 KB) but the resulting modules.cgz is only 
around 700 KB bigger than the original one.  All files have been 
compressed with `gzip -9`.


My PXE bootsettings are:

   KERNEL CentOS-5.2_64/vmlinuz
   APPEND initrd=CentOS-5.2_64/initrd.img ramdisk_size=5940 kssendmac 
ks=http://srv/ks/ks.cgi noipv6


Even raising ramdisk_size doesn't help.  At around ramdisk_size=7100 
there seems to be an overflow and the size is recounted from zero (?).


Any Ideas, how one can/should create an updated and working initrd.img 
for Kickstart/PXE?


A similar question has been asked before on this list and a 
recommendation was to wait for 5.3.  Unfortunately I cannot wait for the 
next release.


Thanks in advance

 frank
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Robert Heller]

At Thu, 26 Mar 2009 08:44:34 -0500 CentOS mailing list  
wrote:

> 
> Ross Walker wrote:
> 
> >> RedShift wrote:
> >>>
> >>> As a follow-up, I found the documentation I wrote how to install  
> >>> CentOS
> >>> without any installer:
> >>
> >> That looks useful.  Do you have any hints about how to get the right
> >> drivers installed if you wanted to build a disk to be moved to a
> >> different machine?
> > 
> > That's even easier.
> > 
> > Add the disk driver names in modprobe.conf the ones for system disks  
> > in the top half, data disks below. Then run a mkinitrd.
> > 
> > Modprobe.conf excerpt:
> > 
> > alias scsi_adapter ata_piix
> > alias scsi_adapter0 ahci
> > alias scsi_adapter1 mega_sas
> > alias scsi_adapter2 mpt
> > 
> > # mv /boot/init-$(uname -r).img /boot/init-$(uname -r).img
> > # mkinitrd /boot/init-$(uname -r).img $(uname -r)
> > 
> > That should make an initrd with the drivers necessary to boot your  
> > other boxes (of course using your own disk drivers and not mine).
> 
> Thanks - but there is another half to that question. How do you find the 
> names of the drivers that match any particular hardware without running 
> the installer?

Installing the kernel source RPM is one option.  Then it is a matter of
the use of grep to search in the source code for the devices you need
drivers for.

You can also 'cheat' by copying the PXE boot initrd file from the first
CD or the DVD and unpack this file.  It is a compressed cpio file:

gunzip  < /path/to/pxeinitrd|(cd /some/temp/directory;cpio -i)

In the /some/temp/directory there will be a subdir named modules, with a
file named modules.alias.  This file contains a mapping of PCI
vendor/device IDs to module names.  lspci will give you the
vendor/device IDs of the devices in question or you can look them up in
/usr/share/hwdata/pci.ids.

> 
> I'd like to have a generic backup/restore mechanism that would drop in a 
>tar image (etc.) from one machine and come up running on something 
> different - or a fixup procedure for disks that have been moved from one 
> chassis to another.  Even where the machines are identical and I put the 
> target machine's MAC addresses in the ifcfg-ethX file, something seems 
> to rename them and screw things up when a disk is moved.
> 

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/
 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] help on kerberos5--- solved

[fabian dacunha]

Thanks Guys i already did solve the problem of gettin kinit work
kinit Administrator
and after enterring the password worked grt

here my krb5.conf which is workin perfect

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = BALADIA.LOCAL
 dns_lookup_kdc = false

 dns_lookup_realm = false
[realms]
BALADIA.LOCAL = {
   default_domain = baladia.local
  kdc = xx.xx.xx.xx:88
  admin_server = xx.xx.xx.xx:749
  kdc = KMUN
}

[domain_realm]
baladia.local = BALADIA.LOCAL

once again really apprecite your help

now just wanna get my centos box join my win2003 AD server now..


regards

Fabian



> On Wed, 2009-03-25 at 13:15 +0300, fabian dacunha wrote:
>> my domain name is===> baladia.local
>> Windows 2003 AD server computer name is> kmun
>>
>> my /etc/krb5.conf file is
>>
>> 
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>  ticket_lifetime=24000
>>  default_realm=BALADIA.LOCAL
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>
>> [realms]
>>  BALADIA.LOCAL={
>>   kdc=172.16.2.227:88
>> #  admin_server=kmun.baladia.local:749
>>   default_domain=BALADIA.LOCAL
>>   kdc=BALADIA.LOCAL
>>  }
>
> You only need one kdc here.  Choose one, comment/delete the other.
>
>> [domain_realm]
>> .baladia.local=BALADIA.LOCAL
>> baladia.local=BALADIA.LOCAL
>>
>> kerberos  88/udp   kdc  # Kerberos key server
>> kerberos  88/tcp   kdc  # Kerberos key server
>
> What are these "kerberos" lines for? Why have you put them here? They
> don't belong - comment/delete them.
>
>
>> [kdc]
>>   profile = /var/kerberos/krb5kdc/kdc.conf
>>
>> [appdefaults]
>>  pam = {
>>debug = false
>>ticket_lifetime = 36000
>>renew_lifetime = 36000
>>forwardable = true
>>krb4_convert = false
>>  }
>
> kinit should work after making the changes above.
>
> Regards,
>
> Ranbir
>
> --
> Kanwar Ranbir Sandhu
> Linux 2.6.27.19-170.2.35.fc10.x86_64 x86_64 GNU/Linux
> 14:06:36 up 19 days, 13:32, 4 users, load average: 0.14, 0.20, 0.18
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[James Pearson]

Frank Thommen wrote:
> 
> To modify the initrd.img, I took the original CentOS 5.2 image, unpacked 
> with cpio/gunzip and replaced modules/2.6.18-92.el5/x86_64/e1000e.ko 
> with a current version.  This driver module had been created on a 
> freshly installed CentOS 5.2 host with kernel 2.6.18-92.el5 and w/o any 
> updates.  After adding the driver, I re-archived and re-packed the image 
> and replaced the initrd.img on my tftp server.
>  
> The new image is considerably bigger than the old one (12 MB vs. 5.7 MB) 
> which puzzles me, as the driver file itself is 2.8 MB (compared to the 
> old e1000e.ko with ca 170 KB) but the resulting modules.cgz is only 
> around 700 KB bigger than the original one.  All files have been 
> compressed with `gzip -9`.

What cpio options did you use to re-create modules/modules.cgz and then 
the initrd.img?

Did you gzip the initrd.img after cpio'ing it?

It might be better to wait for CentOS 5.3 - as that has an updated 
e1000e module - hopefully 5.3 might be out this week end ...

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[nate]

Frank Thommen wrote:
> Hi,
>
> to install current PC models (with new Intel NICs) via Kickstart/PXE, I
> wanted to add the newest e1000e-Treiber to initrd.img.  With this
> modified image, the Kickstart kernel crashes with the following error
> messages:

Maybe you need to increase the memory allocated to ramdisk? by
default I use ramdisk_size=16384 as a kernel parameter for booting
the installer.

nate

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[John Doe]

Frank Thommen wrote:
> > To modify the initrd.img, I took the original CentOS 5.2 image, unpacked 
> > with cpio/gunzip and replaced modules/2.6.18-92.el5/x86_64/e1000e.ko 
> > with a current version.  This driver module had been created on a 
> > freshly installed CentOS 5.2 host with kernel 2.6.18-92.el5 and w/o any 
> > updates.  After adding the driver, I re-archived and re-packed the image 
> > and replaced the initrd.img on my tftp server.
> >  
> > The new image is considerably bigger than the old one (12 MB vs. 5.7 MB) 
> > which puzzles me, as the driver file itself is 2.8 MB (compared to the 
> > old e1000e.ko with ca 170 KB) but the resulting modules.cgz is only 
> > around 700 KB bigger than the original one.  All files have been 
> > compressed with `gzip -9`.

Just wondering... can you safely strip modules like you would strip executables?

JD


  

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] live audio feed via telephone link

[Scott Silva]

on 3-25-2009 5:00 PM Frank Cox spake the following:
> On Wed, 25 Mar 2009 16:32:07 -0700
> Scott Silva wrote:
> 
>> If the radi station has phone lines, they should be able to get something 
>> like
>> a T1 or fractional part. Much more reliable and more bandwidth.
> 
> I don't think it's available there.  Even the next-nearest town has only
> dial-up Internet.  The nearest location that has real dedicated Internet
> service available at all is the location that I'm looking to move the signal 
> out
> to.
> 
>  > Or look into a  microwave or satellite link. 
> 
> As always, cost is THE factor.  I have no idea how much a 24-hour satellite
> link would cost but I suspect it might be more than a phone line.  Based on my
> (very limited) experience with tv satellite dishes around here, they don't 
> seem
> to perform very well when it's -50 degrees outside and blowing snow.  Some
> years back I had to go out and try to beat ice off of a dish a few times in
> those conditions and didn't really enjoy it all that much.
> 
>> I don't think you will be able to compress a
>> radio signal enough to fit over a dial line without a lot of loss. You would
>> need several lines multiplexed together for a decent sounding broadcast.
> 
> Well, that's what I'm looking into.  I remember listening to streaming audio
> over a 14.4 modem way-back-when which wasn't great quality but modems have
> gotten a lot faster than that since, too.  I don't know enough about it (yet)
> to be aware of exactly what can be accomplished.
> 
>> There are many point to point links that will cover 40 miles (65 km).
>> I don't know how far you have to go.
> 
> That's another thought.  The station's antenna is on top of a hill but for
> protection from the elements and whatnot, the studio is down in a
> valley (i.e. a hole). They currently use a microwave link to send the signal 
> up
> the hill from the studio, so I'm not sure how feasible that would be to get a
> point-to-point solution going, but it's worth looking into. Do you have any
> recommendations for hardware that might work?  I just checked, and Google Maps
> tells me that the distance is 52.3km.
If the station is in a hole, you would need to pipe the signal through relays,
possibly up to the antenna site and then on to the next point. Motorola makes
some long range PTP radios that reach as far as 124 miles (200km), as does
Proxim (not sure of their maximum range). Motorola is the leader in this area,
and they are worldwide. This site has some options;
http://www.winncom.com/products/category/WPP/list.html

If they already have a microwave link to the antenna site, it shouldn't be
that hard to repeat that signal to another site. They could put a microwave
repeater at the antenna site and move the receiver that is now there to the
third site.
> 
> I've been talking to the station manager for quite a while about doing
> something to get their signal online, but the stumbling block has always been
> how to get the signal out where you can get an Internet connection.  I just 
> had
> this dedicated phone line idea last week; if it (or something else) will work,
> then I'll be able to provide him with a set of costs that he can take to
> his board of directors, and we'll see what happens after that.  The phone
> company is working on a proposal for me so I'm now trying to get the rest of 
> it
> figured out.
A pure digital 56k link should be just as easy as a modem link if the wiring
is sound. If the wire is marginal, even a modem won't keep a full 56K link
going. Besides, most modems don't do 56K from modem to modem unless they are
synchronous. 56k dialup from modem to modem usually doesn't go over 33.6k. You
only get the 56k if there is only one analog to digital conversion, which you
would only get by dialing into a T1 concentrator at the ISP. I suppose you
could do something over a plain 4 wire link from site to site. There used to
be modems that ran over those years ago, and maybe they are still available.
You would need a leased 2pair wire run from one point to the other.
> 


-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[Frank Thommen]

> What cpio options did you use to re-create modules/modules.cgz and then 
> the initrd.img?

I used `cpio -ovF ` and `cpio -ov -H crc -F ` (I found the 
latter on http://sial.org/howto/linux/initrd/).  However I could not 
find any "officially looking" information about how the 
initrd.img/modules.cgz is created.

> 
> Did you gzip the initrd.img after cpio'ing it?

yes, with `gzip -9`.


> It might be better to wait for CentOS 5.3 - as that has an updated 
> e1000e module - hopefully 5.3 might be out this week end ...

OK, I could wait this long (better: short) :-)

frank
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[Frank Thommen]

>> to install current PC models (with new Intel NICs) via Kickstart/PXE, I
>> wanted to add the newest e1000e-Treiber to initrd.img.  With this
>> modified image, the Kickstart kernel crashes with the following error
>> messages:
> 
> Maybe you need to increase the memory allocated to ramdisk? by
> default I use ramdisk_size=16384 as a kernel parameter for booting
> the installer.

with ramdisk_size=16384 the error message is:

[...]
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
RAMDISK: Compressed image found at block 0
RAMDISK: incomplete write (-28 != 32768) 16777216
VFS: Cannot open root device "" or unknown-block(253,3)
Please append a correct "root=" boot option
Kernel panic - not syncing: VFS: Unable to mount root fs on
unknown-block(253,3)


There is probably an exact way to determine a valid ramdisk_size, buth 
which? :-}


frank


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[Tru Huynh]

On Thu, Mar 26, 2009 at 05:27:10PM +0100, Frank Thommen wrote:
> > What cpio options did you use to re-create modules/modules.cgz and then 
> > the initrd.img?
> 
> I used `cpio -ovF ` and `cpio -ov -H crc -F ` (I found the 
> latter on http://sial.org/howto/linux/initrd/).  However I could not 
> find any "officially looking" information about how the 
> initrd.img/modules.cgz is created.

find ./ | cpio -H newc -o | | gzip -c9 > /path/to/my/initrd.img

Tru
-- 
Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance)
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B


pgpK4DtT2Yo8T.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[Frank Thommen]

John Doe wrote:
> Frank Thommen wrote:
>>> [...]
>>>  
>>> The new image is considerably bigger than the old one (12 MB vs. 5.7 MB) 
>>> which puzzles me, as the driver file itself is 2.8 MB (compared to the 
>>> old e1000e.ko with ca 170 KB) [...]
> 
> Just wondering... can you safely strip modules like you would strip 
> executables?


Don't know. Admittedly I don't even know what stripping is...[reading in 
Wikipedia]...now having some half-knowledge...  

`strip e1000e.ko` results in a 148K file (compared to the 2.8MB 
original).  I'll try to put this one into the initrd.ing tomorrow.

Thanks

frank
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Creating a CentOS Print Server for Windows Clients

[Joseph L. Casale]

A while ago I looked into this and was told not to bother as it was a
hack at best. Anyone shed any reliable info on creating a print server
for windows nt -> vista clients both x86 and x46 for a few Canon and
HP IP Printers.

Would this be reliable, are there any caveats or issues to be aware of?

Thanks!
jlc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive

[Agile Aspect]

Hi - I've been asked to re-partition a

Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive

and install CentOS 5 on the new partition.

It's a Dell Lattitude E5400 laptop.

Is this even possible with encrypted drives?

Does CentOS 5 need special drivers?

Any help would be greatly appreciated.

-- Agile

-- 
Article. VI. Clause 3 of the constitution of the United States states: 

"The Senators and Representatives before mentioned, and the Members of 
the several State Legislatures, and all executive and judicial Officers, 
both of the United States and of the several States, shall be bound by 
Oath or Affirmation, to support this Constitution; but no religious Test 
shall ever be required as a Qualification to any Office or public Trust 
under the United States." 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive

[nate]

Agile Aspect wrote:
> Hi - I've been asked to re-partition a
>
> Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive
>
> and install CentOS 5 on the new partition.
>
> It's a Dell Lattitude E5400 laptop.
>
> Is this even possible with encrypted drives?

How is it encrypted? Some new laptops come with drive encryption
built into the hardware which I believe is totally transparent
to the OS, sample device:
http://www.seagate.com/docs/pdf/datasheet/disc/ds_momentus_5400_fde_3.pdf

Looking at this:
http://accessories.dell.com/sna/products/Internal_Hard_Drives/productdetail.aspx?c=ca&l=en&s=dhs&cs=cadhs1&sku=341-6557

The drive they have seems similar, so I would expect
re-partitioning to work fine, though of course backup any
important data before trying.

nate


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Scott Silva]

on 3-26-2009 6:58 AM Mogens Kjaer spake the following:
> RedShift wrote:
> ...
>>  Not only do you
>> have to execute 4 times as much commands, reconstruction of the 4
>> arrays will take place in parallel leading to slow disk access during
>> reconstruction. 
> 
> Is this right?
> 
> When I have replaced a disk and added several partitions
> to an array, the rebuild is done one partition at a time.
> 
> The /proc/mdstat would say "delayed" on the partitions
> waiting.
> 
> Mogens
That is what I remember also.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[RedShift]

Mogens Kjaer wrote:
> RedShift wrote:
> ...
>>  Not only do you
>> have to execute 4 times as much commands, reconstruction of the 4
>> arrays will take place in parallel leading to slow disk access during
>> reconstruction. 
> 
> Is this right?
> 
> When I have replaced a disk and added several partitions
> to an array, the rebuild is done one partition at a time.
> 
> The /proc/mdstat would say "delayed" on the partitiones
> waiting.
> 
> Mogens

I must be mistaken then, it's been a long time since I've used regular md 
devices.


Best regards,


Glenn Matthys
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Creating a CentOS Print Server for Windows Clients

[Scott Silva]

on 3-26-2009 10:16 AM Joseph L. Casale spake the following:
> A while ago I looked into this and was told not to bother as it was a
> hack at best. Anyone shed any reliable info on creating a print server
> for windows nt -> vista clients both x86 and x46 for a few Canon and
> HP IP Printers.
> 
> Would this be reliable, are there any caveats or issues to be aware of?
> 
> Thanks!
> jlc
It just needs a working cups and samba install to get it working. I run
several linux print servers for windows clients, including driver installs.

The only real problem I had was right before service pack 3 came out for XP.
Some security update broke ALL my HP print drivers on the XP boxes. I fought
with it for 3 weeks, and had to create cups print driver based packages for
all the HP printers until SP3 magically fixed it. I never found out what
caused it.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] live audio feed via telephone link

[Frank Cox]

On Thu, 26 Mar 2009 09:23:31 -0700
Scott Silva wrote:

> If they already have a microwave link to the antenna site, it shouldn't be
> that hard to repeat that signal to another site. They could put a microwave
> repeater at the antenna site and move the receiver that is now there to the
> third site.

Thanks loads to everyone who's offered advice regarding this matter so far.

I have now started exploring the feasibility and cost of VHF and microwave
solutions to this situation as well.  It appears that anything that we do will
involve hardware costs, but if we can do it this way then the phone company
won't be collecting a monthly fee forevermore, and that's got to add up to a
saving down the line.

I definitely know more about this stuff now  and have more options to look
at than I did a couple of days ago, thanks largely to the help of everyone here
on this mailing list.

-- 
MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Creating a CentOS Print Server for Windows Clients

[Joseph L. Casale]

>It just needs a working cups and samba install to get it working. I run
>several linux print servers for windows clients, including driver installs.

What/How do you handle authentication/perms for the printers?

>The only real problem I had was right before service pack 3 came out for XP.
>Some security update broke ALL my HP print drivers on the XP boxes. I fought
>with it for 3 weeks, and had to create cups print driver based packages for
>all the HP printers until SP3 magically fixed it. I never found out what
>caused it.

Huh, that was my next question. It's trivial to add drivers for various windows
platforms to my windows servers, and it appears you have done this as well. I
will check out Samba's doc site to see what's involved in making a cups print
driver based package.

Thanks!
jlc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] live audio feed via telephone link

[Scott Silva]

on 3-26-2009 11:19 AM Frank Cox spake the following:
> On Thu, 26 Mar 2009 09:23:31 -0700
> Scott Silva wrote:
> 
>> If they already have a microwave link to the antenna site, it shouldn't be
>> that hard to repeat that signal to another site. They could put a microwave
>> repeater at the antenna site and move the receiver that is now there to the
>> third site.
> 
> Thanks loads to everyone who's offered advice regarding this matter so far.
> 
> I have now started exploring the feasibility and cost of VHF and microwave
> solutions to this situation as well.  It appears that anything that we do will
> involve hardware costs, but if we can do it this way then the phone company
> won't be collecting a monthly fee forevermore, and that's got to add up to a
> saving down the line.
Especially if they would charge you by the minute for a dialup link. Even a
penny or two a minute adds up in a month. ($4320 a month at 0.01 per minute)
> 
> I definitely know more about this stuff now  and have more options to look
> at than I did a couple of days ago, thanks largely to the help of everyone 
> here
> on this mailing list.
> 


-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Creating a CentOS Print Server for Windows Clients

[Scott Silva]

on 3-26-2009 11:32 AM Joseph L. Casale spake the following:
>> It just needs a working cups and samba install to get it working. I run
>> several linux print servers for windows clients, including driver installs.
> 
> What/How do you handle authentication/perms for the printers?
> 
>> The only real problem I had was right before service pack 3 came out for XP.
>> Some security update broke ALL my HP print drivers on the XP boxes. I fought
>> with it for 3 weeks, and had to create cups print driver based packages for
>> all the HP printers until SP3 magically fixed it. I never found out what
>> caused it.
> 
> Huh, that was my next question. It's trivial to add drivers for various 
> windows
> platforms to my windows servers, and it appears you have done this as well. I
> will check out Samba's doc site to see what's involved in making a cups print
> driver based package.
> 
> Thanks!
> jlc
You can also add regular windows drivers and have the print queues set as raw.
You add drivers the same way as windows servers.
If printers require auth for their connections you can set that up in cups. If
you want to have the actual print queues to require auth, I think you can do
that also. You just set up the samba users and passwords to be the same as
their windows NTLM credentials. You can even tie the samba printserver into a
domain controlled by a windows domain controller and pass the auth around that
way.

It is in the samba books. A lot of reading, but you can completely emulate a
NT machine currently, and in samba 4 they are talking about emulating a full
win 2000 type AD server.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[William L. Maltby]

On Thu, 2009-03-26 at 17:49 +0100, Frank Thommen wrote:
> John Doe wrote:
> > Frank Thommen wrote:
> >>> [...]
> >>>  
> >>> The new image is considerably bigger than the old one (12 MB vs. 5.7 MB) 
> >>> which puzzles me, as the driver file itself is 2.8 MB (compared to the 
> >>> old e1000e.ko with ca 170 KB) [...]
> > 
> > Just wondering... can you safely strip modules like you would strip 
> > executables?

It's been a long time since I dinked with this stuff, but...

IIRC, there's several levels of strip. One strips everything, save for
standalone binaries (not dependent on run-time linking with a library)
and "safe". Safe leaves the external symbols intact so that the loader
can tell what linkages are needed. I don't remember the parameters, but
the manual should tell you.

I *think* that some symbols are needed for loadable modules for both the
kernel linkage and any references to shared libraries that might be
used. Again, I'm unsure now - to many decaeds have passed since I dinked
with this stuff.

> 

> Thanks
> 
> frank
> 

HTH
-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Florin Andrei]

Hywel Richards wrote:
> Florin Andrei wrote:
>> The options are: L2TP, PPTP and IPSec. If you were to install a VPN 
>> endpoint on CentOS, which protocol would you prefer?  
> 
> I know this doesn't answer your question as put, but it may be worth 
> taking a different tack and supplying whatever services wrapped with 
> SSL/TLS instead - I guess it depends exactly what you want the VPN for.

What's driving it at this point is IMAP access. Sure, I could expose the 
IMAP-over-SSL port to the Internet, but somehow that sounds even more 
scary than using a second-rate VPN server. I am using Cyrus IMAPd, but 
regardless, I just have a bad feeling about allowing everyone and their 
dog to poke directly at the software holding all my emails.

-- 
Florin Andrei

http://florin.myip.org/

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Creating a CentOS Print Server for Windows Clients

[Ross Walker]

On Mar 26, 2009, at 1:16 PM, "Joseph L. Casale"  wrote:

> A while ago I looked into this and was told not to bother as it was a
> hack at best. Anyone shed any reliable info on creating a print server
> for windows nt -> vista clients both x86 and x46 for a few Canon and
> HP IP Printers.
>
> Would this be reliable, are there any caveats or issues to be aware  
> of?

Samba print sharing is more dependable then Samba file sharing in my  
opinion.

The windows driver directory PRINT$ can take a little work to get  
setup properly, but after it's setup right you install drivers there  
from a Windows client as if it were any other print server.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Florin Andrei]

Ralph Angenendt wrote:
> Florin Andrei wrote:
>> So far, OpenVPN has been working very well for me. Unfortunately, the 
>> iPhone doesn't have (yet?) an OpenVPN client, so I'm forced to work with 
>> what's available.
>>
>> The options are: L2TP, PPTP and IPSec. If you were to install a VPN 
>> endpoint on CentOS, which protocol would you prefer? 
> 
> IPSEC.
> 
> That's only a few entries in a file in /etc/sysconfig/network-scripts
> away from a working solution >:)
> 
> 

Okay, so it's included with the OS and some documentation is available. 
Good.

Now, from a practical perspective, how trustworthy is it? I'm looking 
for something to setup and forget. E.g. I am running Postfix instead of 
Sendmail precisely for the setup-and-forget nature of the software - the 
security track record of Postfix is remarkably good, so I can use it 
without having to worry too much. I threw the server away into a cabinet 
in the living room, it's hidden from view, it just works, very much like 
an appliance. Minimizing the admin time is crucial.

Same with OpenVPN. Turn it on and it just works, solid as a rock, no 
excessive worries about nasty security bugs every three months.

I haven't used IPSec VPN with Linux endpoints very much, so that's why 
I'm a bit unfamiliar with how robust these things are, from a security 
history perspective.

-- 
Florin Andrei

http://florin.myip.org/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Les Mikesell]

Florin Andrei wrote:

>>> The options are: L2TP, PPTP and IPSec. If you were to install a VPN 
>>> endpoint on CentOS, which protocol would you prefer?  
>> I know this doesn't answer your question as put, but it may be worth 
>> taking a different tack and supplying whatever services wrapped with 
>> SSL/TLS instead - I guess it depends exactly what you want the VPN for.
> 
> What's driving it at this point is IMAP access. Sure, I could expose the 
> IMAP-over-SSL port to the Internet, but somehow that sounds even more 
> scary than using a second-rate VPN server. I am using Cyrus IMAPd, but 
> regardless, I just have a bad feeling about allowing everyone and their 
> dog to poke directly at the software holding all my emails.

If you have a decent password (on all accounts) I wouldn't worry about 
about it too much.  Move it to an odd port or even require a client 
certificate if your client software supports it.

The usual problem with IPSec is trying to make it work through a NAT 
router.   Does your server have a public address of its own?   SSL and 
OpenVPN can work through port-forwarding routers.

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] error when join my Centos machine to win2003 ADS server

[fabian dacunha]

Dear All,

I have succesfully managed to have my kerberos configured n working
without error when i say

kinit Administrator
and after entering password it works fine

my krb5.conf
--

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = BALADIA.LOCAL
 dns_lookup_kdc = false

 dns_lookup_realm = false
[realms]
BALADIA.LOCAL = {
   default_domain = baladia.local
  kdc = 172.16.2.227:88
  admin_server = 172.16.2.227:749
  kdc = KMUN
}

[domain_realm]
baladia.local = BALADIA.LOCAL



klist shows

icket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@baladia.local

Valid starting ExpiresService principal
03/26/09 11:33:04  03/26/09 21:33:18  krbtgt/baladia.lo...@baladia.local
renew until 03/27/09 11:33:04


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached



now i configured /etc/samba/smb.conf but when i try to join the domain

 net ads join -U Administrator
Administrator's password:
[2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286)
  ads_connect: No logon servers
Failed to join domain: No logon servers

after googling and tryin various options in /etc/samba/smb.conf file here
is the latest smb.conf file
-

[global]
#--authconfig--start-line--

# Generated by authconfig on 2009/03/26 12:50:28
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = BALADIA.LOCAL
;   password server = kmun.baladia.local
   password server = 172.16.2.227
   realm = KMUN.BALADIA.LOCAL
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   winbind separator = +
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   encrypt passwords = yes
  log level = 3
#--authconfig--end-line--
encrypt passwords = yes
   dns proxy = no
   server string = Samba Server Version %v
   os level = 20
  client use spnego = no
server signing = auto

--

where i could be goin wrong
i would be thankful and really apprecite your advice for any setting in my
smb.conf file

Is there anything else to check

when i run testparam it gives no errors

thnks and Regards

Fabian








-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[D Tucny]

2009/3/27 RedShift 

> Mogens Kjaer wrote:
> > RedShift wrote:
> > ...
> >>  Not only do you
> >> have to execute 4 times as much commands, reconstruction of the 4
> >> arrays will take place in parallel leading to slow disk access during
> >> reconstruction.
> >
> > Is this right?
> >
> > When I have replaced a disk and added several partitions
> > to an array, the rebuild is done one partition at a time.
> >
> > The /proc/mdstat would say "delayed" on the partitiones
> > waiting.
> >
> > Mogens
>
> I must be mistaken then, it's been a long time since I've used regular md
> devices.
>
>
I can confirm this and furthermore, the default sync max transfer rate is
very low for modern disks, so unless you've increased it to speed up sync or
you have a very heavy disk workload, it's probably not going to impact
normal disk access that much...

That said... I'd much prefer partitionable arrays from a management point of
view... It's how all the hardware solutions work and they can't all be wrong
;)

d
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Florin Andrei]

Les Mikesell wrote:
> 
> If you have a decent password (on all accounts) I wouldn't worry about 
> about it too much.  Move it to an odd port or even require a client 
> certificate if your client software supports it.

The non-standard port is a good trick, but even assuming the iPhone does 
support it (which is far from certain, the interface is very simple and 
terse), I'm still a bit uncomfortable. All it takes is a stupid buffer 
overflow, and a script kiddie with patience and a portscanner - even if 
you send packets to DROP, it's still scannable, it just takes much 
longer. Port knocking is probably not doable (or not easily) from the 
iPhone.

Maybe I don't trust the IMAP server enough to expose it. Maybe I should.

> The usual problem with IPSec is trying to make it work through a NAT 
> router.   Does your server have a public address of its own?   SSL and 
> OpenVPN can work through port-forwarding routers.

I'm aware of the NAT issues. I've a decent amount of experience with 
IPSec in the enterprise actually, just not with Linux as a concentrator. 
The usual trick is to enable some sort of UDP tunneling, and then a good 
part of those issues is alleviated. The question is whether the Linux 
IPSec server supports UDP encapsulation (and whether the iPhone client 
does too).

The machine has a public interface exposed directly to the Internet, so 
that simplifies things a bit.

-- 
Florin Andrei

http://florin.myip.org/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive

[Rob Kampen]

nate wrote:

Agile Aspect wrote:
  

Hi - I've been asked to re-partition a

Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive

and install CentOS 5 on the new partition.

It's a Dell Lattitude E5400 laptop.

Is this even possible with encrypted drives?



How is it encrypted? Some new laptops come with drive encryption
built into the hardware which I believe is totally transparent
to the OS, sample device:
http://www.seagate.com/docs/pdf/datasheet/disc/ds_momentus_5400_fde_3.pdf

Looking at this:
http://accessories.dell.com/sna/products/Internal_Hard_Drives/productdetail.aspx?c=ca&l=en&s=dhs&cs=cadhs1&sku=341-6557

The drive they have seems similar, so I would expect
re-partitioning to work fine, though of course backup any
important data before trying.

nate

  

Excuse a really dumb question, how does this provide me with security?
I assume it still uses the normal SATA interface and thus the OS writes 
to the drive as normal, but now it is encrypted onto the physical 
media. so now I steal the laptop, or just the physical drive, plug 
it into my SATA controller and voila read all the encrypted data off the 
drive???
I am obviously missing something - there must be a key somewhere off the 
drive for this to work as a securely encrypted system.

Flumoxed!

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
  
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
email;internet:r...@kampensonline.net
tel;cell:407-341-3815
version:2.1
end:vcard

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PXE-Kernel crashes with "RAMDISK: incomplete write ..." after modifiying initrd.img

[William L. Maltby]

On Thu, 2009-03-26 at 14:56 -0400, William L. Maltby wrote:
> 

> It's been a long time since I dinked with this stuff, but...
> 
> IIRC, there's several levels of strip. One strips everything, save for

s/save/safe/   # RATS!

> standalone binaries (not dependent on run-time linking with a library)
> and "safe". Safe leaves the external symbols intact so that the loader
> can tell what linkages are needed. I don't remember the parameters, but
> the manual should tell you.
> 
> I *think* that some symbols are needed for loadable modules for both the
> kernel linkage and any references to shared libraries that might be
> used. Again, I'm unsure now - to many decaeds have passed since I dinked
> with this stuff.
> 

-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] error when join my Centos machine to win2003 ADS server

[Rob Townley]

2009/3/26 fabian dacunha :
>
> Dear All,
>
> I have succesfully managed to have my kerberos configured n working
> without error when i say
>
> kinit Administrator
> and after entering password it works fine
>
> my krb5.conf
> --
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = BALADIA.LOCAL
>  dns_lookup_kdc = false
>
>  dns_lookup_realm = false
> [realms]
> BALADIA.LOCAL = {
>   default_domain = baladia.local
>  kdc = 172.16.2.227:88
>  admin_server = 172.16.2.227:749
>  kdc = KMUN
> }
>
> [domain_realm]
> baladia.local = BALADIA.LOCAL
>
> 
>
> klist shows
>
> icket cache: FILE:/tmp/krb5cc_0
> Default principal: administra...@baladia.local
>
> Valid starting     Expires            Service principal
> 03/26/09 11:33:04  03/26/09 21:33:18  krbtgt/baladia.lo...@baladia.local
>        renew until 03/27/09 11:33:04
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> 
>
> now i configured /etc/samba/smb.conf but when i try to join the domain
>
>  net ads join -U Administrator
> Administrator's password:
> [2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286)
>  ads_connect: No logon servers
> Failed to join domain: No logon servers
>
> after googling and tryin various options in /etc/samba/smb.conf file here
> is the latest smb.conf file
> -
>
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2009/03/26 12:50:28
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
>   workgroup = BALADIA.LOCAL
> ;   password server = kmun.baladia.local
>   password server = 172.16.2.227
>   realm = KMUN.BALADIA.LOCAL
>   security = ads
>   idmap uid = 16777216-33554431
>   idmap gid = 16777216-33554431
>   winbind separator = +
>   template shell = /bin/bash
>   winbind use default domain = true
>   winbind offline logon = false
>   encrypt passwords = yes
>  log level = 3
> #--authconfig--end-line--
>        encrypt passwords = yes
>       dns proxy = no
>       server string = Samba Server Version %v
>       os level = 20
>      client use spnego = no
>        server signing = auto
>
> --
>
> where i could be goin wrong
> i would be thankful and really apprecite your advice for any setting in my
> smb.conf file
>
> Is there anything else to check
>
> when i run testparam it gives no errors
>
> thnks and Regards
>
> Fabian
>
>
>
>
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

Can you get to the ADS netlogon share?  It is //domainname/netlogon
which may be
//baladia.local/netlogon/on your network.

//172.16.2.227/netlogon ?

Further, even connecting WinVista to a domain will sometimes require
raw editing of the hosts properties in LDAP.   SysInternal's
adexplorer.exe or jexplorer (don't use java 1.6) are good at this.
Specifically, you will want to make sure dnsHostName and
servicePrincipalName (SPN) are correct.  If not, these tools with the
domain admin privilege will let you edit these ldap entries directly.
Use a known good ADS connected node as an example.

There is a list of apps based on python-ldap at
http://python-ldap.sourceforge.net/apps.shtml
Some of those would provide adexplorer.exe type functionality, but i
haven't tried them for editing.  Hmmm, now i wonder if they work at
all with Samba b/c python hooks were removed in Samba 3.2.0 due to
lack of maintenance???

I would like a script that could be run on a Windows ADS server, a ADS
domain connected windows client, and linux.  The script would generate
and verify everything needed to successfully connect.  SASL required?
Unsecured or Secured auth?   kerberos and ldap identifiying info.
ldapenum.pl was an attempt at this.

You will want to read the announcement for Samba 3.2 which i am not
sure if 3.2 is in the CentOS release repo or not.  i ended up using
fc9/fc10 for ads joins.  EnterpriseSamba.com may still be your best
bet for CentOS.
http://lists.samba.org/archive/samba-announce/2008/000145.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Les Mikesell]

D Tucny wrote:
> 
>  > ...
>  >>  Not only do you
>  >> have to execute 4 times as much commands, reconstruction of the 4
>  >> arrays will take place in parallel leading to slow disk access
> during
>  >> reconstruction.
>  >
>  > Is this right?
>  >
>  > When I have replaced a disk and added several partitions
>  > to an array, the rebuild is done one partition at a time.
>  >
>  > The /proc/mdstat would say "delayed" on the partitiones
>  > waiting.
>  >
>  > Mogens
> 
> I must be mistaken then, it's been a long time since I've used
> regular md devices.
> 
> 
> I can confirm this and furthermore, the default sync max transfer rate 
> is very low for modern disks, so unless you've increased it to speed up 
> sync or you have a very heavy disk workload, it's probably not going to 
> impact normal disk access that much...
> 
> That said... I'd much prefer partitionable arrays from a management 
> point of view... It's how all the hardware solutions work and they can't 
> all be wrong ;)

And if someone is thinking of changing things, what would really be nice 
would be a default install on a single disk where you could add the 
mirror disk later and sync it in.   Is that possible?

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Scott Silva]

on 3-26-2009 1:02 PM Florin Andrei spake the following:
> Les Mikesell wrote:
>> If you have a decent password (on all accounts) I wouldn't worry about 
>> about it too much.  Move it to an odd port or even require a client 
>> certificate if your client software supports it.
> 
> The non-standard port is a good trick, but even assuming the iPhone does 
> support it (which is far from certain, the interface is very simple and 
> terse), I'm still a bit uncomfortable. All it takes is a stupid buffer 
> overflow, and a script kiddie with patience and a portscanner - even if 
> you send packets to DROP, it's still scannable, it just takes much 
> longer. Port knocking is probably not doable (or not easily) from the 
> iPhone.
> 
> Maybe I don't trust the IMAP server enough to expose it. Maybe I should.
> 
>> The usual problem with IPSec is trying to make it work through a NAT 
>> router.   Does your server have a public address of its own?   SSL and 
>> OpenVPN can work through port-forwarding routers.
> 
> I'm aware of the NAT issues. I've a decent amount of experience with 
> IPSec in the enterprise actually, just not with Linux as a concentrator. 
> The usual trick is to enable some sort of UDP tunneling, and then a good 
> part of those issues is alleviated. The question is whether the Linux 
> IPSec server supports UDP encapsulation (and whether the iPhone client 
> does too).
> 
> The machine has a public interface exposed directly to the Internet, so 
> that simplifies things a bit.
> 
I have several IMAP servers exposed. I just run fail2ban and it drops the
script kiddies and the brute force attacks after a couple of tries.
Unless the attacker already knows the username and password, that should stop
them cold.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive

[nate]

Rob Kampen wrote:

> Excuse a really dumb question, how does this provide me with security?
> I assume it still uses the normal SATA interface and thus the OS writes
> to the drive as normal, but now it is encrypted onto the physical
> media. so now I steal the laptop, or just the physical drive, plug
> it into my SATA controller and voila read all the encrypted data off the
> drive???
> I am obviously missing something - there must be a key somewhere off the
> drive for this to work as a securely encrypted system.

Never used it myself but from the PDF
http://www.seagate.com/docs/pdf/marketing/po_momentus_5400_fde.3.pdf

Consumers can easily integrate this drive and use their BIOS
password to set up authentication. They get easy, strong encryption
with no performance impact.

--

So it sounds like your prompted for the password when you boot
the system, probably during POST somehow. Maybe it only works on
special modern versions of BIOSs.

nate


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Les Mikesell]

Florin Andrei wrote:
> 
>> If you have a decent password (on all accounts) I wouldn't worry about 
>> about it too much.  Move it to an odd port or even require a client 
>> certificate if your client software supports it.
> 
> The non-standard port is a good trick, but even assuming the iPhone does 
> support it (which is far from certain, the interface is very simple and 
> terse), I'm still a bit uncomfortable. All it takes is a stupid buffer 
> overflow, and a script kiddie with patience and a portscanner - even if 
> you send packets to DROP, it's still scannable, it just takes much 
> longer. Port knocking is probably not doable (or not easily) from the 
> iPhone.
> 
> Maybe I don't trust the IMAP server enough to expose it. Maybe I should.

Anything that can survive in a university environment should be safe 
enough for the rest of us.  But the client certificate requirement would 
really nail it down if that's a possibility.  You can do it with stunnel 
if the native IMAP service is difficult to configure for ssl (or even on 
a different internal machine).

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive

[Robert Heller]

At Thu, 26 Mar 2009 16:04:06 -0400 CentOS mailing list  
wrote:

> 
> 
> 
> 
> nate wrote:
> > Agile Aspect wrote:
> >   
> >> Hi - I've been asked to re-partition a
> >>
> >> Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive
> >>
> >> and install CentOS 5 on the new partition.
> >>
> >> It's a Dell Lattitude E5400 laptop.
> >>
> >> Is this even possible with encrypted drives?
> >> 
> >
> > How is it encrypted? Some new laptops come with drive encryption
> > built into the hardware which I believe is totally transparent
> > to the OS, sample device:
> > http://www.seagate.com/docs/pdf/datasheet/disc/ds_momentus_5400_fde_3.pdf
> >
> > Looking at this:
> > http://accessories.dell.com/sna/products/Internal_Hard_Drives/productdetail.aspx?c=ca&l=en&s=dhs&cs=cadhs1&sku=341-6557
> >
> > The drive they have seems similar, so I would expect
> > re-partitioning to work fine, though of course backup any
> > important data before trying.
> >
> > nate
> >
> >   
> Excuse a really dumb question, how does this provide me with security?
> I assume it still uses the normal SATA interface and thus the OS writes 
> to the drive as normal, but now it is encrypted onto the physical 
> media. so now I steal the laptop, or just the physical drive, plug 
> it into my SATA controller and voila read all the encrypted data off the 
> drive???
> I am obviously missing something - there must be a key somewhere off the 
> drive for this to work as a securely encrypted system.
> Flumoxed!

>From what little I gathered from the promo PDF, there was some mumbling
about the BIOS.  I'm guessing that the drive somehow requests a passkey
during system startup somehow.  But this is only a guess.

> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >   
> 
> 
> begin:vcard
> fn:Rob Kampen
> n:Kampen;Rob
> email;internet:r...@kampensonline.net
> tel;cell:407-341-3815
> version:2.1
> end:vcard
> 
> 
> MIME-Version: 1.0
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>  

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
hel...@deepsoft.com   -- http://www.deepsoft.com/ModelRailroadSystem/

   
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Network switches

[D Tucny]

2009/3/26 nate 

> Luke S Crawford wrote:
> > Les Mikesell  writes:
> >> If you get a service contract on any piece of Cisco equipment, you
> >> typically get download access to all of the firmware updates.
> >
> > Yeah, but the problem for me is that for my frontend network, 100M is
> just
> > fine.  A used cisco 3548 is going to set me back around $200.  For my
> > frontend,
> > it looks like a fine switch (my only question is... will it handle IPv6?
> > it does vlan tunneling so worst case I use a linux box to route my IPv6.)
> > Getting access to firmware updates is 5x that, every year.
>
> I suspect if you keep the switch in layer 2 mode IPv6 will work
> just fine, but I wouldn't expect IPv6 layer 3 support from the
> switch(so don't expect it to be able to act as a router for your
> IPv6 network, and you may need a separate IPv4 network to manage
> the switch over IP)
>
> It might work but I wouldn't expect it to.
>

A 3548 is only layer 2 anyway, i.e. ethernet switching, i.e. below IP... A
model sometimes confused with the 3548 is the 3550-48, the 48x100M member of
the 3550 series that replaced the 3500 series and as such the 3548, which
does have layer 3 functionality in the EMI releases, it's pretty good too
with wire speed forwarding even when using some of the layer 3 featureset...
But, it won't do any layer 3 IPv6 stuff as some of the tricks used to get
the speed include having certain functions done with dedicated silicon which
can't cope with IPv6 and of course can't be upgraded with firmware (some
versions of firmware have claimed some IPv6 support, but, I've not seen any
success with it)

d
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing on partitionable RAID arrays

[Scott Silva]

on 3-26-2009 12:50 PM D Tucny spake the following:
> 2009/3/27 RedShift  >
> 
> Mogens Kjaer wrote:
> > RedShift wrote:
> > ...
> >>  Not only do you
> >> have to execute 4 times as much commands, reconstruction of the 4
> >> arrays will take place in parallel leading to slow disk access during
> >> reconstruction.
> >
> > Is this right?
> >
> > When I have replaced a disk and added several partitions
> > to an array, the rebuild is done one partition at a time.
> >
> > The /proc/mdstat would say "delayed" on the partitiones
> > waiting.
> >
> > Mogens
> 
> I must be mistaken then, it's been a long time since I've used
> regular md devices.
> 
> 
> I can confirm this and furthermore, the default sync max transfer rate
> is very low for modern disks, so unless you've increased it to speed up
> sync or you have a very heavy disk workload, it's probably not going to
> impact normal disk access that much...
> 
> That said... I'd much prefer partitionable arrays from a management
> point of view... It's how all the hardware solutions work and they can't
> all be wrong ;)
> 
> d
> 
And it would make it easier for a single hot-spare to be available to several
arrays that were configured differently.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS 5.2 and wired Ethernet on a Macbook Pro?

[Scott R. Ehrlich]

I recently installed CentOS 5.2 64-bit on a partition on a MacBook Pro 17 
inch.  It installed just fine, but wired Ethernet is not available.  lspci 
shows it as nVidia...unknown.

Is it possible to get wired Ethernet running on this laptop under CentOS 
without having to create a virtual machine installation of CentOS?

If so, what is the magic?

Thanks.

Scott
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.2 and wired Ethernet on a Macbook Pro?

[Karanbir Singh]

Scott R. Ehrlich wrote:
> Is it possible to get wired Ethernet running on this laptop under CentOS 
> without having to create a virtual machine installation of CentOS?
> 
> If so, what is the magic?

if you send me the device, I will have a go at making it all justwork :)

-- 
Karanbir Singh : http://www.karan.org/ : 2522...@icq
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Getting ready for CentOS 5.4

[mbneto]

Hi,

As the OP (original poster?) I've read all messages so far and instead of
replying to each one I'd like to sum all up and perhaps clarify my post so
we can move on with some more productive debate.

A background info:  I've been using CentOS for almost three years and I am
happy with it.   Sometimes I do need to use something no provided by it (nor
RHEL) and I use separate repositories but it is minimal.

My intention while posting the question is that, even tough it is a
community based distro, I felt confused by the fact that a long time has
passed and still no message was posted explaining why that happened and no
call for help (if that was the case)  was made.

One suggested that if I was not happy just go and buy the RHEL with their
support.  Otherwise shut up and be glad with whatever I receive (for free)
from CentOS.   I think we can reach a middle ground.

One reported that the development team of CentOS has only three guys and
they can have personal problems (link being sick, tired, getting married -
not that this is a problem).

I do not have any sort of numbers of the popularity of CentOS but I suspect
that we are very popular and in that sense a certain level of responsibility
(to that community) is required.

Please note that I am not saying that the team (3 or 300) is not
responsible.  As I've been made aware by some posts the team shows a level
of commitment that surely affects their personal/professional environment.

But in the end we can't close our eyes to the fact that this release is
'late' and that security issues were disclosed and so far no real date is
set.

And that is the focus.  No matter how much effort and despite the problems
that occurred between the RHEL release and CentOS we must ask ourselves  why
it happened this way and what can I(we) do to improve that.

I think that the team (and other members of this list) ask the same question
when they finish something and start wondering how they can make it
better/faster/cheaper.

In that sense my suggestions : raise money / improve transparency / build
some sort of communication channel for situations like this go in that
direction.

We should have fun. If this is not the case sooner or later we will give
up.  And as long as CentOS stays a relevant distro the pressure (not only
from me) will continue to raise.   How to create a comfort zone is this
case?

Perhaps this particular episode can reveal some aspects that, at least for
myself, were unknown.  So the final questions are:

a) does the team (or the core at least) feel the same way/think this maybe a
problem?
b) what can we do next?

Regards.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Joseph L. Casale]

>The non-standard port is a good trick,

Here's just an opinion: Security by obscurity only
makes >you< feel good, it does nothing in reality.
Anyone sufficiently talented to hack a service in
order to gain root or do something useful would not
be fooled by that. Set whatever your doing up right
so that any false sense of security is not deemed
necessary.

Prevent weak passwords, possibly use connection throttling
etc etc.

Just my opinion that "Works for me".
jlc

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS VPN server for iPhone

[Florin Andrei]

Les Mikesell wrote:
> Florin Andrei wrote:
>>
>> Maybe I don't trust the IMAP server enough to expose it. Maybe I should.
> 
> Anything that can survive in a university environment should be safe 
> enough for the rest of us.

That's a good point.

Okay, I have a few things to try now.

-- 
Florin Andrei

http://florin.myip.org/

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Acrobat Reader 9 on Centos 4.7

[Rob Townley]

On Thu, Mar 26, 2009 at 9:04 AM, tblader  wrote:
> Hello,
> Anyone know how to get Acrobat 9 running* on Centos 4.7?
> Looks like a libc conflict:
>
>   /Adobe/Reader9/Reader/intellinux/bin/acroread: error while loading shared \
>   libraries: /apps/Adobe/Reader9_libs/libstdc++.so.6: requires glibc 2.5 or 
> later dynamic linker
>
> Thanks
> Thomas
>
> [*] - http://www.us-cert.gov/cas/techalerts/TA09-051A.html
> --
>
> Flambeau Inc. Technology Center - Baraboo, WI
> Email    : tbla...@flambeau.com
> Keyserver: http://pgp.mit.edu KeyID: 0x00E9EC2C
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

r u using the Adobe Repository?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] revisor tool

[JC Putter]

Hi does revisor work on centos 5.2 final?

is it possible to create my own distro with config and all 3rd party installed 
software?


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3966 (20090326) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] tar with -N option still picking up old files

[Neil Aggarwal]

Hello:

I tried this command to tar up a set of data files
updated since yesterday (The data directory contains
multiple files with varying dates):

/bin/tar -z -c -N 2009-03-25 -f /tmp/test.tgz data

When I look at the content of the test.tgz file,
it looks like it copied the content of the entire
directory, not just the newer files.

I am on CentOS 5.

Any ideas?

Thanks,
Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] tar with -N option still picking up old files

[Akemi Yagi]

On Thu, Mar 26, 2009 at 3:16 PM, Neil Aggarwal  wrote:
> Hello:
>
> I tried this command to tar up a set of data files
> updated since yesterday (The data directory contains
> multiple files with varying dates):
>
> /bin/tar -z -c -N 2009-03-25 -f /tmp/test.tgz data
>
> When I look at the content of the test.tgz file,
> it looks like it copied the content of the entire
> directory, not just the newer files.
>
> I am on CentOS 5.

Try --newer-mtime instead of -N.  In my case (CentOS-4 backup
machine), the -N option did not work as it's supposed to.  Not sure
about tar on CentOS-5 though.

Akemi
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Getting ready for CentOS 5.4

[Spiro Harvey]

I've got a couple of cents change here...




On Thu, 26 Mar 2009 17:41:41 -0400
mbneto  wrote:

> I do not have any sort of numbers of the popularity of CentOS but I
> suspect that we are very popular and in that sense a certain level of
> responsibility (to that community) is required.


"required"? How do you figure anything is *required* of volunteers?
Show me your support contract.

If you're worried that CentOS is "late" or is stopping you from
fulfilling your own contractual obligations, perhaps you should stop
being a tight-arse and pay for RedHat support.

When you pay nothing, you have no right to expect anything. Unless
they're your slaves, and I'm pretty sure that's not the case here.


> And as long as CentOS stays a relevant distro the pressure (not 
> only from me) will continue to raise.

This is just rude. 



signature.asc
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] security by obscurity [was: CentOS VPN server for iPhone]

[Florin Andrei]

Joseph L. Casale wrote:
>> The non-standard port is a good trick,
> 
> Here's just an opinion: Security by obscurity only
> makes >you< feel good, it does nothing in reality.
> Anyone sufficiently talented to hack a service in
> order to gain root or do something useful would not
> be fooled by that. Set whatever your doing up right
> so that any false sense of security is not deemed
> necessary.

I've seen this before - when the non-standard port trick is mentioned, 
somebody usually gets up and goes "it's security by obscurity! it does 
nothing to protect you! it only gives you the fuzzies!"

I think that's a nice example of pervasive fallacious binary thinking, 
combined with an old tired slogan that by all rights should be dead by now.

First off, it's doesn't do "nothing". It does make things a bit harder 
for the attacker. Not much, but it's not zero either. It does eliminate 
a whole class of attacks actually - the mass scanbots or the most 
moronic script kiddies, which by the way represent the highest volume of 
malicious traffic on almost any public network. If I can do something to 
avoid getting 0wned by a pimple-face armed with a zero-day exploit and a 
bunch of bots scanning the Internet for standard ports, by all means 
I'll do it. I can't do this for a public server, which by definition 
must stand out in the clear; but for private-use stuff, why not if it's 
not too cumbersome for me? All I need is buy myself 24 hours of respite, 
until I get the patch, and the non-standard port may well do that for 
me. Or not. It's a gamble, yes, like everything else in the real world.

Secondly, nobody said that was the only line of defense. I do use other 
mechanisms as well. That's how security works, by wrapping your stuff in 
several layers of protection. You deploy several different measures, 
working in various ways, and hope they cover each other's holes.

Lastly, there is *absolutely no security measure* that is perfect. By 
the same token, we should not use firewalls, because they can be 
circumvented by people who are skilled enough, nor use passwords, 
because they can be guessed or brute-forced. And so on.

If a security measure doesn't make things too hard for the user and/or 
for the administrator (and it this case it doesn't, myself being one of 
the very few users and the sole admin), and it's not too expensive, then 
it should probably be used. It's one more peel added to the security 
"onion" and it's a plus, not a minus or a zero.

Ironically, exactly the people claiming to give security "advice" by 
saying this measure or another "does nothing in reality" because it's 
"security by obscurity", it's them who, in my view, show they don't 
really understand what security actually is. Brandishing a bunch of 
slogans does not equate with being knowledgeable in this field. 
Technical skills, experience, and a measure of realism and common sense 
are required instead.

You may want to read about the various cryptographic algorithms - they 
work, in essence, by "obscuring" the cleartext. The patterns are still 
there, they are just made hard to distinguish from the pseudo-noise by 
the algorithm - the better the crypto, the fainter the patterns. That's 
how some ciphertext-only attacks work, by looking for evanescent 
patterns in the sea of seeming randomness.
It's a scary thought if you spend time considering it, but in practice 
strong crypto does work to some extent. But if it's just "security by 
obscurity" should we not use crypto either?

Yes, "security by obscurity" is useless when it's alone, but it can be 
good if used appropriately and combined with various other measures. We 
should put this slogan to rest by now, it's 2009 already. Sheesh.

-- 
Florin Andrei

http://florin.myip.org/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Network switches

[Scott McClanahan]

> 
> 
> A 3548 is only layer 2 anyway, i.e. ethernet switching, i.e. below
> IP... A model sometimes confused with the 3548 is the 3550-48, the
> 48x100M member of the 3550 series that replaced the 3500 series and as
> such the 3548, which does have layer 3 functionality in the EMI
> releases, it's pretty good too with wire speed forwarding even when
> using some of the layer 3 featureset... But, it won't do any layer 3
> IPv6 stuff as some of the tricks used to get the speed include having
> certain functions done with dedicated silicon which can't cope with
> IPv6 and of course can't be upgraded with firmware (some versions of
> firmware have claimed some IPv6 support, but, I've not seen any
> success with it)
> 
> d
> 
> 

I'm the OP in case you've forgotten since this thread has been so active
but just wanted to say thanks to everyone for the feedback!

On the subject of layer 3 switching, it's an absolute must for us.  IPv6
is not important at all to us.  I, as the admin, care most about
manageability, servicability (not sure if that's a word),  and security.

I'll probably rule out anything that doesn't offer at least 48 ports of
10/100/1000, ssh, port mirroring or spanning sessions, snmp, unique
spanning trees per vlan, and something like vrrp.  It would be nice to
have 802.3ad (I think that's the right one) capability to do some link
aggregation between the switches as well.  

Not really asking for anything in this post but just providing more
information in case you're interested.  Thanks again.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dell 120 GB 5400 RPM Encrypted Serial ATA Hard Drive

[Ionut Vancea]

Hi,

2009/3/26 Rob Kampen :
>
> Excuse a really dumb question, how does this provide me with security?
> I assume it still uses the normal SATA interface and thus the OS writes to
> the drive as normal, but now it is encrypted onto the physical media. so
> now I steal the laptop, or just the physical drive, plug it into my SATA
> controller and voila read all the encrypted data off the drive???
> I am obviously missing something - there must be a key somewhere off the
> drive for this to work as a securely encrypted system.
> Flumoxed!

At the end of that article:
http://headworx.slupik.com/2008/02/fde-full-disk-encryption-hard-drive.html
there are three useful links which maybe will clarify how FDE works.

from the last link:

"In short, it is a security solution that fully encrypts your entire
Hard Disk Drive (HDD), including the Operating System etc. It is one
of the "most transparent" encryption products you can get for your
computer. Once installed you just have to authenticate once before the
boot time, and if successful the HDD is unlocked and behaves like any
other HDD. You don't have to worry about what files to encrypt and
what not to encrypt. With FDE everything is encrypted. It is for the
same reason that the US Government is currently conducting a
competition of various FDE solutions to select and implement the best
one."

Cheers,

-- 
===
Ioan Vancea
http://www.vioan.ro
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Getting ready for CentOS 5.4

[Ray Van Dolson]

On Fri, Mar 27, 2009 at 11:38:06AM +1300, Spiro Harvey wrote:
> 
> I've got a couple of cents change here...
> 
> On Thu, 26 Mar 2009 17:41:41 -0400
> mbneto  wrote:
> 
> > I do not have any sort of numbers of the popularity of CentOS but I
> > suspect that we are very popular and in that sense a certain level of
> > responsibility (to that community) is required.
> 
> 
> "required"? How do you figure anything is *required* of volunteers?
> Show me your support contract.
> 
> If you're worried that CentOS is "late" or is stopping you from
> fulfilling your own contractual obligations, perhaps you should stop
> being a tight-arse and pay for RedHat support.
> 
> When you pay nothing, you have no right to expect anything. Unless
> they're your slaves, and I'm pretty sure that's not the case here.
> 
> 
> > And as long as CentOS stays a relevant distro the pressure (not 
> > only from me) will continue to raise.
> 
> This is just rude. 
> 

I really wish people would quit being so over-sensitive like this.  How
many disclaimers must be posted?  We are ALL aware that nothing is
guaranteed nor supported in a volunteer project such as this one.

Is there still no room for positive feedack and discussion from
developers and end users alike on how to approve things?

Let's not assume the OP is attacking anyone.  I'm assuming he's looking
for a way to help.

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Getting ready for CentOS 5.4

[Rainer Duffner]

Spiro Harvey schrieb:
> I've got a couple of cents change here...
>
>   


While I do think some of the wording of the post that the above post was
replying to was a bit mis-chosen, I like to believe it had a positive spin.
(In that it didn't want to put blame on anybody)

I *do* agree with the sentiment that people should buy RHEL for stuff
they consider critical.
Or just change distro if they think they get a better deal elsewhere.

Which is what I normaly do, unless management decides they can get away
cheaper and in essence get RHEL + updates for free with CentOS.

The CentOS team certainly doesn't owe me CentOS 5.3 by now - in the same
way I can't really complain about a late (again) FreeBSD release.



Rainer
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] security by obscurity [was: CentOS VPN server for iPhone]

[Joseph L. Casale]

>I think that's a nice example of pervasive fallacious binary thinking, 
>combined with an old tired slogan that by all rights should be dead by now.

Ok...

>By the same token, we should not use firewalls, because they can be 
>circumvented by people who are skilled enough, nor use passwords, 
>because they can be guessed or brute-forced. And so on.

Really, tell me how you really think? :)

>I can't do this for a public server, which by definition 
>must stand out in the clear; but for private-use stuff, why not if it's 
>not too cumbersome for me?

Ok, so all my public servers will be owned, but all my private servers are
"now" safe? (that's my only point, its most often not feasible, and in the few
situations where it is, did I *really* gain anything?)[1]

>Yes, "security by obscurity" is useless when it's alone, but it can be 
>good if used appropriately and combined with various other measures. We 
>should put this slogan to rest by now, it's 2009 already. Sheesh.

It's not an old slogan that should be put to rest, it's a valid mistake (made by
some, in some situations, in my opinion (fallacious argument anyway, should 
"server
administration" be banned, as that slogan has been around for a while?).

Like I said, my opinion and I never suggested it was your only line of defense.
I only said it was my opinion, for which "I" think has good reason, see [1].

Let me restate, its only my opinion. YMMV :) (Heh, is it Friday yet?)
jlc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] security by obscurity [was: CentOS VPN server for iPhone]

[Robert Moskowitz]

Let me introduce myself:

Robert Moskowitz, ICSAlabs, an Independent Division of Verizon Business 
Systems.

Security IS my business and I am a bit of a 'maverick' even in the labs 
on my positions. ICSAlabs is the company that certifies products: 
Firewalls, malware, IDS, IPsec, SSLvpn, etc.

Florin Andrei wrote:
> Joseph L. Casale wrote:
>   
>>> The non-standard port is a good trick,
>>>   
>> Here's just an opinion: Security by obscurity only
>> makes >you< feel good, it does nothing in reality.
>> Anyone sufficiently talented to hack a service in
>> order to gain root or do something useful would not
>> be fooled by that. Set whatever your doing up right
>> so that any false sense of security is not deemed
>> necessary.
>> 
>
> I've seen this before - when the non-standard port trick is mentioned, 
> somebody usually gets up and goes "it's security by obscurity! it does 
> nothing to protect you! it only gives you the fuzzies!"
>
> I think that's a nice example of pervasive fallacious binary thinking, 
> combined with an old tired slogan that by all rights should be dead by now.
>   

Binary thinking will get you 0wned in security. Defense in depth and 
raising the bar.

> First off, it's doesn't do "nothing". It does make things a bit harder 
> for the attacker. Not much, but it's not zero either. It does eliminate 
> a whole class of attacks actually - the mass scanbots or the most 
> moronic script kiddies, which by the way represent the highest volume of 
> malicious traffic on almost any public network. If I can do something to 
> avoid getting 0wned by a pimple-face armed with a zero-day exploit and a 
> bunch of bots scanning the Internet for standard ports, by all means 
> I'll do it. I can't do this for a public server, which by definition 
> must stand out in the clear; but for private-use stuff, why not if it's 
> not too cumbersome for me? All I need is buy myself 24 hours of respite, 
> until I get the patch, and the non-standard port may well do that for 
> me. Or not. It's a gamble, yes, like everything else in the real world.
>   

Just moving SSH to a high port, will stop a lot of traffic coming in on 
your DSL/cable link. When the bots find port 22, they start pounding. 
They don't portscan (at least not today), there are too many 
opertunities at port 22 for them. This is one of the first steps I do 
whenever I build a Linux system. It also cuts down on logging of all of 
those failed logins that end up in your nightly cron report.

Then I DO set up rate limiting using shorewall, but this does not help 
me much with IPv6 SSH on Centos...

> Secondly, nobody said that was the only line of defense. I do use other 
> mechanisms as well. That's how security works, by wrapping your stuff in 
> several layers of protection. You deploy several different measures, 
> working in various ways, and hope they cover each other's holes.
>   

Rate limiting on some services is another tool. Look for what makes 
sense for you and look at your total picture. Perhaps you only have one 
system that you tunnel into that gives you access to all others. So that 
one system is really hardened. But the others are not neglected, but 
perhaps don't need the same level of protection.

Yes make things obscure as one of the first steps and go from there.

> Lastly, there is *absolutely no security measure* that is perfect. By 
> the same token, we should not use firewalls, because they can be 
> circumvented by people who are skilled enough, nor use passwords, 
> because they can be guessed or brute-forced. And so on.
>
> If a security measure doesn't make things too hard for the user and/or 
> for the administrator (and it this case it doesn't, myself being one of 
> the very few users and the sole admin), and it's not too expensive, then 
> it should probably be used. It's one more peel added to the security 
> "onion" and it's a plus, not a minus or a zero.
>
> Ironically, exactly the people claiming to give security "advice" by 
> saying this measure or another "does nothing in reality" because it's 
> "security by obscurity", it's them who, in my view, show they don't 
> really understand what security actually is. Brandishing a bunch of 
> slogans does not equate with being knowledgeable in this field. 
> Technical skills, experience, and a measure of realism and common sense 
> are required instead.
>   

What is the threat.
What is your risk.
What is the cost.

If any of those is zero, the product is zero. (per Dr. Peter Tippet, my 
boss).

> You may want to read about the various cryptographic algorithms - they 
> work, in essence, by "obscuring" the cleartext. The patterns are still 
> there, they are just made hard to distinguish from the pseudo-noise by 
> the algorithm - the better the crypto, the fainter the patterns. That's 
> how some ciphertext-only attacks work, by looking for evanescent 
> patterns in the sea of seeming randomness.
> It's a scary thought if you spend time considering 

Re: [CentOS] [OT] Network switches

[nate]

Scott McClanahan wrote:

> I'll probably rule out anything that doesn't offer at least 48 ports of
> 10/100/1000, ssh, port mirroring or spanning sessions, snmp, unique
> spanning trees per vlan, and something like vrrp.  It would be nice to
> have 802.3ad (I think that's the right one) capability to do some link
> aggregation between the switches as well.
>
> Not really asking for anything in this post but just providing more
> information in case you're interested.  Thanks again.

You may want to check out sflow instead of using something
like port mirroring, with sflow(on sflow-enabled devices) it
samples enough data that you can get almost everything that flows
through the network and can do so at line rate on every port,
so even if your pushing 100Gbit on your switch you don't need
to worry about performance impact, something that wouldn't
be possible with port mirroring or cisco netflow.

http://www.sflow.org/sFlowOverview.pdf

nate

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] mirrorlist.centos.org offline? NO A RECORD IN DNS

[Danny.Terweij]

Is mirrorlist.centos.org out of the air? because there is no A record for 
it.

Which causes yum to fail.

Could not retrieve mirrorlist 
http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=os error was
[Errno 4] IOError: 
Error: Cannot find a valid baseurl for repo: base

Danny.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mirrorlist.centos.org offline? NO A RECORD IN DNS

[Marcelo Roccasalva]

On Thu, Mar 26, 2009 at 10:03 PM, Danny.Terweij  wrote:
> Is mirrorlist.centos.org out of the air? because there is no A record for
> it.

Not for me:

$ host mirrorlist.centos.org
mirrorlist.centos.org has address 204.15.73.243
mirrorlist.centos.org has address 72.21.40.11


-- 
Marcelo

"¿No será acaso que ésta vida moderna está teniendo más de moderna que
de vida?" (Mafalda)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mirrorlist.centos.org offline? NO A RECORD IN DNS

[Rainer Duffner]

Am 27.03.2009 um 02:08 schrieb Marcelo Roccasalva:

> On Thu, Mar 26, 2009 at 10:03 PM, Danny.Terweij  > wrote:
>> Is mirrorlist.centos.org out of the air? because there is no A  
>> record for
>> it.
>
> Not for me:
>
> $ host mirrorlist.centos.org
> mirrorlist.centos.org has address 204.15.73.243
> mirrorlist.centos.org has address 72.21.40.11
>



Oh-dear ;-)

I can already see various people posting the various variations of dig/ 
nslookup/host output, from various servers around the world...

;-)


Rainer
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mirrorlist.centos.org offline? NO A RECORD IN DNS

[Danny.Terweij]

From: "Marcelo Roccasalva" 

>> Is mirrorlist.centos.org out of the air? because there is no A record for
>> it.

>Not for me:

>$ host mirrorlist.centos.org
>mirrorlist.centos.org has address 204.15.73.243
>mirrorlist.centos.org has address 72.21.40.11

# host centos.org
centos.org mail is handled by 10 mail.centos.org.
# host mirrorlist.centos.org
#

and dig gives:

# dig mirrorlist.centos.org any
;; QUESTION SECTION:
;mirrorlist.centos.org. IN  ANY

;; AUTHORITY SECTION:
centos.org. 11741   IN  NS  ns3.centos.org.
centos.org. 11741   IN  NS  ns1.centos.org.
centos.org. 11741   IN  NS  ns2.centos.org.
centos.org. 11741   IN  NS  ns2.uklinux.net.

;; ADDITIONAL SECTION:
ns1.centos.org. 407 IN  A   72.21.40.11
ns2.centos.org. 407 IN  A   131.211.85.43
ns2.uklinux.net.43890   IN  A   80.84.64.25
ns3.centos.org. 407 IN  A   88.208.217.170

dig directly at one of their nameservers:

# dig @80.84.64.25 mirrorlist.centos.org any
;; ANSWER SECTION:
mirrorlist.centos.org.  300 IN  A   72.21.40.11
mirrorlist.centos.org.  300 IN  A   204.15.73.243


Maybe my upstream DNS server is not refreshed orso?

Danny.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Installing openmpi & lam for use with R

[Rick Bilonick]

I am trying to install the R package "Rmpi" which needs libmpi. I've
installed openmpi and lam in Centos 5.2:

[r...@rab45-1 /]# rpm -qv openmpi
openmpi-1.2.5-5.el5
openmpi-1.2.5-5.el5
[r...@rab45-1 /]# rpm -qv lam
lam-7.1.2-14.el5
lam-7.1.2-14.el5

But I get the following error message when trying to install Rmpi:

/usr/bin/ld: skipping incompatible /usr/lib/lam/lib/libmpi.so when
searching for -lmpi

I'm not sure what else to install/uninstall to fix this.

Rick B.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] 64bit Python 32bit c library ...

[Ben]

I have a closed-source 32bit database application running on a 64bit 
CentOS 5.2 system which is running very well however i am looking at 
developing some python applications that require access to the data and 
the vendor only provides a 32bit c library.

So while attempting to utilize the library in python with ctypes it 
became obvious that the 64bit python cannot use the 32bit c library.

So what are my choices?

1. is there a way to use the 32bit library in 64bit python i haven't found?
2. install 32bit python on the 64bit system.  'yum list python.i386' 
shows that 32bit python is not available.
3. manually compile and install 32bit python and _ALL_ its libraries 
under /opt.  has someone already done this? are the RPMs available?

let me just say that i am no python expert, yet, so bare with me.

Any help would be appreciated.

Ben
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 64bit Python 32bit c library ...

[Mark Pryor]

--- On Thu, 3/26/09, Ben  wrote:

> From: Ben 
> Subject: [CentOS] 64bit Python 32bit c library ...
> To: "CentOS mailing list" 
> Date: Thursday, March 26, 2009, 10:48 PM
> 
> -Inline Attachment Follows-
> 
> I have a closed-source 32bit
> database application running on a 64bit 
> CentOS 5.2 system which is running very well however i am
> looking at 
> developing some python applications that require access to
> the data and 
> the vendor only provides a 32bit c library.
> 
> So while attempting to utilize the library in python with
> ctypes it 
> became obvious that the 64bit python cannot use the 32bit c
> library.
> 
> So what are my choices?
> 

Yum and so many of the applets (system-config-*) are tied to Python that you 
can't mess with the base version or arch of Python.

What about a 32 bit chroot using Mock? I've never done it, but that's what Mock 
is intended to do.

Perl.i386 will run OK in x86_64 and there is a version of perl-Inline-CPP that 
will allow you to write most of what you want in CPP and wrap it with Perl.

-- 
Mark



  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 64bit Python 32bit c library ...

[Ben]

Mark Pryor wrote:
>
> --- On Thu, 3/26/09, Ben  wrote:
>
>   
>> From: Ben 
>> Subject: [CentOS] 64bit Python 32bit c library ...
>> To: "CentOS mailing list" 
>> Date: Thursday, March 26, 2009, 10:48 PM
>>
>> -Inline Attachment Follows-
>>
>> I have a closed-source 32bit
>> database application running on a 64bit 
>> CentOS 5.2 system which is running very well however i am
>> looking at 
>> developing some python applications that require access to
>> the data and 
>> the vendor only provides a 32bit c library.
>>
>> So while attempting to utilize the library in python with
>> ctypes it 
>> became obvious that the 64bit python cannot use the 32bit c
>> library.
>>
>> So what are my choices?
>>
>> 
>
> Yum and so many of the applets (system-config-*) are tied to Python that you 
> can't mess with the base version or arch of Python.
>
> What about a 32 bit chroot using Mock? I've never done it, but that's what 
> Mock is intended to do.
>
> Perl.i386 will run OK in x86_64 and there is a version of perl-Inline-CPP 
> that will allow you to write most of what you want in CPP and wrap it with 
> Perl.
>
>   

I am afraid we are stuck with Python.  A considerable amount of the work 
has already been done but it has been developed on a 32bit system and it 
wasn't until early testing revealed our 64bit issue.  One of the primary 
objectives is to develop a SOAP interface to the application and that 
has also been started using TurboGears.

The vendor has offered to port the library to 64bit for a 5 figure amount.

Ben
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos